On 22 March 2010 15:41, Sean Mullan <sean.mul...@sun.com> wrote: > Andrew John Hughes wrote: >> >> On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland >> <christopher.hega...@sun.com> wrote: >>> >>> Andrew John Hughes wrote: >>>> >>>> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland >>>> <christopher.hega...@sun.com> wrote: >>>>> >>>>> Brad, Pavel, Andrew, >>>>> >>>>> I'm also not comfortable with this test, but what bothers me more than >>>>> the >>>>> reliance on an external server is the reliance on cacerts. While >>>>> cacerts >>>>> (or >>>>> equivalent) is not part of OpenJDK I don't think it makes sense adding >>>>> a >>>>> test to OpenJDK that has a reliance on it. >>>>> >>>>> For now I think is makes more sense to add a test like this to wherever >>>>> in >>>>> the build process cacerts (or equivalent) is added. >>>>> >>>> The problem is nothing does in the OpenJDK build process. So SSL is >>>> always broken for OpenJDK builds. Is this something we really want? >>> >>> This is certainly not ideal, but is a separate issue to the test, right? >>> It >>> seems Sean or someone in the security team should comment on the >>> possibility >>> of adding root CA's to OpenJDK, until then I don't see any requirement >>> for a >>> test. > > I don't have an answer right now - this will take some more investigation > first. > >> My thoughts too. We have a solution for GNU/Linux where cacerts is >> populated from the crt files found on the system (installed by Mozilla >> and the like). I don't know what the equivalent would be for Windows >> and Solaris though. A quick look on my OpenSolaris box didn't find >> any crt files but I only looked in installed packages. I presume >> firefox may bring some in if it's available. > > On Windows you can use the "Windows-ROOT" KeyStore type, ex: > > keytool -list -keystore NONE -storetype Windows-ROOT >
Ok, so that presumably makes some Windows system call, right? > I haven't tried it, but you could probably use the keytool -importkeystore > option to import all of these certs into the cacerts file. > > On Solaris, you could use the /usr/java/jre/lib/security/cacerts file. > Isn't that exactly what's being installed? Though maybe there's a general solution there of importing from the bootstrap JDK. > > --Sean > -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
